In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/fair: Se corrige la posible corrupción de memoria en child_cfs_rq_on_list. child_cfs_rq_on_list intenta convertir un puntero 'prev' en un cfs_rq. Este puntero 'prev' puede originarse en leaf_cfs_rq_list de struct rq, invalidando la conversión y potencialmente provocando corrupción de memoria. Dependiendo de las posiciones relativas de leaf_cfs_rq_list y el puntero del grupo de tareas (tg) dentro de la estructura, esto puede causar un fallo de memoria o acceder a datos basura. El problema surge en list_add_leaf_cfs_rq, donde tanto cfs_rq->leaf_cfs_rq_list como rq->leaf_cfs_rq_list se añaden a la misma lista de hojas. Además, rq->tmp_alone_branch puede establecerse en rq->leaf_cfs_rq_list. Esto añade una comprobación `if (prev == &rq->leaf_cfs_rq_list)` después de la condición principal en child_cfs_rq_on_list. Esto garantiza que la operación container_of convierta una estructura cfs_rq correcta. Esta comprobación es suficiente porque solo se añaden a la lista las cfs_rqs en la misma CPU, por lo que basta con verificar el puntero `prev` con la cabecera de la lista de la rq actual. Corrige un posible problema de corrupción de memoria que, debido al diseño actual de la estructura, podría no manifestarse como un fallo, pero podría provocar un comportamiento impredecible al cambiar el diseño.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-787
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6a4dc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b83a6dbc0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b83a6dd00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc3f7ec0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd6a5c80> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702bdd6a6600> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702b83a6f100> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702b5015fc00> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702b83a6c600> | Operating System |
| linux | linux_kernel | 6.14 | <built-in method update of dict object at 0x702bdd6a4100> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:* |